Week 5 In Review – 2011

Week 5 In Review – 2011

Events Related

ShmooCon 2011
Getting to ShmooCon each year is always challenging (as is trying to get home). Mother Nature seems to enjoy disrupting the travel to and from the conference, which is held in Washington, D.C in January or February of each year.

Participate remotely on the OWASP Summit – diniscruz.blogspot.com
The OWASP Summit is gearing up to be an amazing event. If you are not able to make it in person to Portugal, then please make the time to participate remotely.

Announcing Pwn2Own 2011 – dvlabs.tippingpoint.com
It’s that time of year again and the Zero Day Initiative (ZDI) team here at HP TippingPoint is proud to announce the 5th annual Pwn2Own competition is back.

Resources

2010 Top Web Application Hack Attacks – chaptersinwebsecurity.blogspot.com
I must admit that I was curious just like everybody else, what 2010 will look like, retrospectively, through the eyes of the international infosec community.

OMG-WTF-PDF Denouement – blog.fireeye.com
I recently gave this presentation at the 27th Chaos Computer Congress in Berlin. For some reason, the slides never made it from Pentabarf to the Fahrplan.

Guide to Security for Full Virtualization Technologies – csrc.nist.gov
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure.

ShmooCon 2011 Library
This year I talked about my improvements to VERA over the past 6 months. Much of the talk was centered around live demos, which unfortunately did not make it to the slides. The new tracing module and updated versions of the VERA code will be posted here soon.

So you think your *capability* model is bad? – Icamtuf.blogspot.com
In his recent post, Brad Spengler mocked the Linux capability system – a somewhat ill-conceived effort to add modern access controls on top of the traditional Unix permission model.

Tools

Password Length Matters – justanotherhacker.com
In fact, it matters so much that the term password is just plain wrong. Passphrase is better, and I did mean to start using that term instead.

GoogleDiggity
The Google Hacking Diggity Project is a research and development initiative dedicated to investigating the latest techniques that leverage search engines, such as Google and Bing, to quickly identify vulnerable systems and sensitive data in corporate networks

Pentesting Web Services with WS-Attacker v1.0 – sourceforge.net
WS-Attacker is a modular framework for web services penetration testing. It is a free and easy to use software solution, which provides an all-in-one security checking interface with only a few clicks.

InformIT: comparing static analysis tools – mail-archive.com
There are cases where dynamic and static each have clear strengths. Pragmatic combination of the two has promise in solving a broad spectrum of test-cases.

UPDATE: NetworkMiner 1.0 – sourceforge.net
Fresh off the compiler again! A newer version of NetworkMiner has just been released a few hours ago! The updated NetworkMiner version 1.0 is out!

ShmooCon Ghost in the Shellcode 2011 – ppp.cylab.cmu.edu
Just got back from ShmooCon and it seems that some people want a writeup for the taped challenge. I highly encourage you to try it yourself first, because once you see the bug, it takes away some of the fun.

IPv6-What’s New – blogs.cisco.com
IPv6 is becoming more widely deployed as the availability of IPv4 addresses continue to decline. In June, Cisco will be participating in World IPv6 Day, a 24-hour global “test drive” of IPv6 that is organized by the Internet Society.

How To: Forensically Sound Mac Acquisition in Target Mode – computer-forensics.mac.org
It is really a matter of personal opinion, Mac’s are an engineering marvel just ask anyone that has had to remove a hard drive from a Mac for forensic imaging and then try to put it back together properly.

Leave A Comment

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.